Package : otrs2 Version : 3.3.18-1+deb8u10 CVE ID : CVE-2019-12248 CVE-2019-12497
Two security vulnerabilities were discovered in the Open Ticket Request System that could lead to information disclosure or privilege escalation. New configuration options were added to resolve those problems.
An attacker could send a malicious email to an OTRS system. If a logged in agent user quotes it, the email could cause the browser to load external image resources.
In the customer or external frontend, personal information of agents can be disclosed like Name and mail address in external notes.
For Debian 8 "Jessie", these problems have been fixed in version 3.3.18-1+deb8u10.
We recommend that you upgrade your otrs2 packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS